Activesync not working for Windows Phone with certificate RRS feed

  • Question

  • We have a new Exchange Server 2013 setup and using activesync.  We have setup a policy to require simple password and to send an email to provision a device when it connects.  Activesync is setup to use self signed certificates,  this was tested first on the Ipad.  Certificate installed entered the settings and the device appeared in the quarantined devices list awaiting to be approved.  This was also done on the Iphone and worked. 

    When putting the same certificate on the windows phone device it errored with there is a problem with {} and does not appear in quarantined devices screen.

    I tested again with another Ipad and an android device and they work without an issue.  Tested with a Windows RT device and got the same issue.  If I look in the IIS log files I can see the windows device making a connection then when I presume to be the error 500 at the end of the line. 

    This is not a user issue as I can use the same user on the various devices.  The windows devices just do not want to connect.  We have looked at the certificate but if it works for apple and android devices why does it not work for windows?  Is there any additional security settings that need to be turned on or off for windows phones?  Is there something specific on the certificate what windows devices need that others ignore?

    Tuesday, April 15, 2014 1:50 PM

All replies

  • I had something similar with the few Windows phones and all I did was remove the account restarted the phone and then add the account back in.  You may try it if you haven't already.  It worked for us!

    Good luck!


    Tuesday, April 15, 2014 11:03 PM
  • I've tested with new user and I get the same issue.  I don't think our issue is user related as the same users can connect with an apple or android device. 

    I think our issue is related to the way the certificate is setup.  On the server in the DMZ which then uses ARR to get to the backend we are using a public wildcard SSL.  On the backend exchange server we are using a self signed certificate which does contain the address we are using along with the internal names of the server.  The mobile devices are given the internal self signed certificate for authentication.   Is there something that Apple and Android ignore with regards to the certificates?

    Wednesday, April 16, 2014 10:06 AM
  • I've been investigating this issue further and have come across that the internalURL is set but the externalURL is currently blank.  I'm assuming this needs to be set? but why would this work for apple and android?
    Tuesday, April 22, 2014 3:57 PM
  • looks like a windows phone issue, you may need to post to Windows Forum

    Where Technology Meets Talent

    Wednesday, April 23, 2014 2:35 AM
  • I did inital think it might be a widows phone issue but there are no other settings for me to use.  I have also tested using a windows 8 surface and I get the same issue.

    I have raised the event log level on the exchange server to expert and I have seen 2 messages when I try to connect. 

    I get Event ID 1100:  Exhcnage ActiveSync device requests for your uses are being blocked.  This problme frequently occurs when HTTP OPTIONS method is not allowed.

    I know it is allowed as the test exchange connectivity worked and passed that test.

    The other error Event ID 1309 ASP.NET warning.  Part of the exception messge is DeviceTypeMissingOrInvalid

    I have come across a comment that says for certificates to work you need to use windows intune or SCCM which we don't have.  Do we know if this is true? 

    Wednesday, April 23, 2014 12:46 PM
  • Self-signed certificates are in general not recommended. However if your devices are hitting the DMZ where there is a certificate issued by a public CA this shouldn't be an issue. (Self-signed certs internally are obviously ok.)

    Does the Exchange Connectivity Analyzer show the correct/expected certificate chain or does it present warnings?

    Tuesday, May 6, 2014 11:41 AM
  • use the link and test your exchange ActiveSync Connectivity

    Where Technology Meets Talent

    Wednesday, May 7, 2014 4:09 AM
  • Yes, you will need both URL's and that should be fine for the others (wonder how they are working now, may be they are connecting only using the internal url!)

    Ramu V Ramanan

    Wednesday, May 7, 2014 4:58 AM
  • any updates??

    Where Technology Meets Talent

    Thursday, May 29, 2014 4:08 AM